Re: SSL certificates
- From: SJMP <sjmp@xxxxxxxxxxxxxxxx>
- Date: Thu, 8 Jan 2009 08:51:30 -0800
A few questions:
I have two recive connectors
Client - which points to mail.mydomain.com (public MX record)
Default - which points to the internal FQDN
Should I just change the default to point to the server name located in the
SSL Certificate? Will this affect internal mail flow?
My SSL Cert has mail.mydomain.com which is why I am now getting the errors
Microsoft Exchange couldn't find a certificate that contains the domain name
fqdn.mydomain.com in the personal store on the local computer. Therefore, it
is unable to support the STARTTLS SMTP verb for the connector Default
"internal - server" with a FQDN parameter of internal-server.mydomain.com. If
the connector's FQDN is not specified, the computer's FQDN is used. Verify
the connector configuration and the installed certificates to make sure that
there is a certificate with a domain name for that FQDN. If this certificate
exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the
Microsoft Exchange Transport service has access to the certificate key.
"Elan Shudnow [MVP]" wrote:
There is a relationship. I actually go into this on my article below:.
http://www.shudnow.net/2008/11/08/exchange-2007-mail-flow-dns-records-connectors-and-tls/
You can create a dedicated Internet Receive Connector that matches a name in
the certificate which will allow it to advertise StartTLS for that name. Or
you can leave the self-signed certificate on there so it'll fallback to the
self-signed certificate to advertise StartTLS to internet Server to Server
SMTP.
For OWA, Outlook Anywhere, and EAS, all you need is IIS. Although you'd
still want SMTP on there to do SMTP of course.
--
Elan Shudnow
Exchange MVP
http://www.shudnow.net
"SJMP" <sjmp@xxxxxxxxxxxxxxxx> wrote in message
news:6FC1468D-CE36-45CD-A78B-4A40C42EFE7A@xxxxxxxxxxxxxxxx
Thanks Skip - I dont want to create a new cert. I want to eliminate cert 2
and cert 3 while making adjustments, if needed, to cert 1 -
Also I am trying to see how the send/recieve connectors FQDN play a part
in
this, and how /if there is an relation between SSL Cert and connectors.
"skip" wrote:
When you make your cert request you have the option to specify the
internal
netbios name and the external fqdn that users will hit from outside your
network. The -Domainname parameter in the cert request is used to map the
internal netbios and fqdn that you want the cert to respond to.
Example
My fqdn that users hit from the outside is mail.kbblab.com the internal
name of the cas sever is casht.kbblab.com. This works for internal and
external clients
new-ExchangeCertificate -GenerateRequest -SubjectName "
DC=com,dc=kbblab,o=kbblabinc,cn=mail.kbblab.com" -DomainName
mail.kbblab.com,cas
ht.kbblab.com,casht -IncludeAutoDiscover -IncludeAcceptedDomains -PrivateKeyExpo
rtable $true -path c:\certrequest.txt -force
"SJMP" <sjmp@xxxxxxxxxxxxxxxx> wrote in message
news:35C04B01-DE7D-4B3C-9517-33A14195FE5A@xxxxxxxxxxxxxxxx
Thanks Elan
My questions are two fold.
1 - What services do I need enabled on the Cert if we are using OWA,
Outlook
Anywhere, and Window Mobile?
2 - The other certs which seem to of been created by default - Cert 2
and
3
- are they needed by AD or anything else for internal use?
"Elan Shudnow [MVP]" wrote:
You have certificates that are being utilized for services that aren't
enabled on your valid certificate. Are you using these services? If
not,
it should be safe to remove. If yes, then make sure that you utilize
the
service on your new valid certificate. The new valid certificate
should
contain the name that the user's connect via the old certificate so
they
don't get any connectivity issues when you remove the old certificate
and
utilize only the new valid one.
--
Elan Shudnow
Exchange MVP
http://www.shudnow.net
"SJMP" <sjmp@xxxxxxxxxxxxxxxx> wrote in message
news:B5702447-7389-433D-9540-421D977C2D25@xxxxxxxxxxxxxxxx
PS - It is the second and third cert that I want to remove
Cert 2 - expires 3/4/2009
Cert 3 - expires 1/29/2009
"SJMP" wrote:
I want to know if I can remove the two of the three certs on the
exchange
2007 sp1 server. Leaving just the valid third party SSL cert. Users
connect
via outlook anywhere and windows mobile.
"Event ID 12018 - STARTTLS certificate will expire soon. The
certificate
domain for this event was server.mydomain.com (internal server
name)"
On my send-connector the FQDN is mail.mydomain.com (public server
name
matching third party SSL cert)
On my recieve connector the FQDN is server.mydomain.com (internal
server
name)
Cert 1 - this is my valid SSL cert from comodo
Cert Domain - mail.mydomain.com, www.mail.mydomain.com
Issuer - Comodo
Root CA Type - Registry
Services - IIS, SMTP
Cert 2 -
Cert Domain - server, server.mydomain.com (internal server name)
Issuer - server
RootCAType - None
Services - IMAP, POP, SMTP
Cert 3 -
Cert Domain - server.greenbriarequity.com (internal server name)
Issuer - mail.mydomain.com (external name)
RootCAType - Enterprise
Services - IMAP, POP, SMTP
- References:
- SSL certificates
- From: SJMP
- RE: SSL certificates
- From: SJMP
- Re: SSL certificates
- From: Elan Shudnow [MVP]
- Re: SSL certificates
- From: SJMP
- Re: SSL certificates
- From: skip
- Re: SSL certificates
- From: SJMP
- Re: SSL certificates
- From: Elan Shudnow [MVP]
- SSL certificates
- Prev by Date: Exchange 2007 / OAB Failing
- Next by Date: Automated Mailboxes
- Previous by thread: Re: SSL certificates
- Next by thread: Re: SSL certificates
- Index(es):
Relevant Pages
|
